Invision Board Forum Software Discloses Configuration Information to Remote Users
SecurityTracker Alert ID: 1005283|
SecurityTracker URL: http://securitytracker.com/id/1005283
(Links to External Site)
Date: Sep 25 2002
Disclosure of system information|
Exploit Included: Yes |
An information disclosure vulnerability was reported in the default installation of the Invision Board forum software. A remote user can obtain configuration information about the server.|
It is reported that the default installation of Invision Board installs the 'phpinfo.php' file by default. This file calls the phpinfo() function to return data about the system.
A remote user can request the file to obtain various configuration data about the target server. This information may include operating system version, PHP build date, PHP configuration options, PHP installation path, and other setting details.
The vendor has reportedly been notified.
A remote user can view system configuration data.|
No solution was available at the time of this entry.|
Vendor URL: www.invisionboard.com/ (Links to External Site)
Access control error, Configuration error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: Information Disclosure with Invision Board installation (fwd)|
Since the vendors didn't bother to respond, I might as well forward this
Basic jizt - Invision Board (all version) - installation guide copies
across phpinfo.php, a file which calls phpinfo().
(just do a search on Google for "Invision Board" and append phpinfo.php to
Why is this bad? Well, duh. It gives you system varibles, path names,
modules of apache, PHP setup, Apache module version numbers etc etc.
Note to vendors: please reply to security mail in the future.
---------- Forwarded message ----------
Date: Mon, 23 Sep 2002 20:31:41 +0100 (BST)
From: Gossi The Dog <firstname.lastname@example.org>
Cc: email@example.com, firstname.lastname@example.org
Subject: Information Disclosure with Invision Board installation
Okay, how to explain this one...
The installation procedure for Invision Board advises to upload various
files and directorys. One of these is 'phpinfo.php'.
Now, I'm sorry, but this is dumb.
I can now tell you don't have PHP Safe mode installed, exactly what Apache
modules you have loaded, your full Apache SERVER_SOFTWARE (Apache/1.3.26
(Unix) mod_bwlimited/1.0 PHP/4.2.1 mod_log_bytes/0.3 FrontPage/18.104.22.1680
PHP modules, settings, system variables... They're all out there. Also,
note, your OpenSSL version is out of date and fully remotely exploitable
(I managed to obtain that from phpinfo.php - you had it hidden before, but
phpinfo.php discloses this information).
Do you agree this is a problem?
You need to modify the installation guide to say this file should *only*
be uploaded for diagnoises and debugging reasons, and possible move it to
a different folder (eg debug) to stop people uploading it by accident.
People also need to be reminded to *remove* the file if they upload it for
debugging purposes after they finish.
You also need to notify existing users of the software about the file.
I did a quick Google search for "Invision Board", and every single one of
the boards I tried (About 50) had the file. Oops.
I'm planning to do some kind of bugtraq announcement after I've got a plan
of action from yourselves (and I've given you a decent grace period),
basically to make sure as many people as possible remove the file.
Gossi The Dog.
Go to the Top of This SecurityTracker Archive Page